Hi, You say you can't ping through pix. I imagine you mean from a PC on the inside network to the internet address on the outside network. Did you check your xlate table if it's doing the translation? (ie. show xlate). I also notice that you have a VPN, make sure that the address you ping isn't in the subnet that you define for the VPN nat0 and for interesting traffic.
Looking at your ping results, it looks like you can ping hosts in the inside and outside interfaces. So you just have to figure out why your pix is stopping your traffic. Albert -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tunji Suleiman Sent: Thursday, February 20, 2003 4:27 PM To: [EMAIL PROTECTED] Subject: Traffic thru PIX [7:63347] Hello All, Can someone pls tell me how I can allow pings and other traffic thru the PIX? I've added both access-list and conduits for testing. Can ping from pix to a test PC on LAN, to Internet router and to UUNet DNS but not from test PC thru PIX as per below: PIX# wr t Building configuration... : Saved : PIX Version 6.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password J470/UhJVN.5DRKT encrypted passwd J470/UhJVN.5DRKT encrypted hostname PIX domain-name pixdomain.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 10.250.77.3 testpc name 66.120.182.121 gateway access-list nat0 permit ip 10.250.77.0 255.255.255.0 10.250.0.0 255.255.0.0 access-list nat0 permit ip 10.250.77.0 255.255.255.0 10.249.0.0 255.255.0.0 access-list oxfordhub permit ip 10.250.77.0 255.255.255.0 10.250.4.0 255.255.255 .0 access-list oxfordhub permit ip 10.250.77.0 255.255.255.0 10.249.48.0 255.255.24 0.0 access-list ipalcohub permit ip 10.250.77.0 255.255.255.0 10.250.3.0 255.255.255 .0 access-list ipalcohub permit ip 10.250.77.0 255.255.255.0 10.249.32.0 255.255.24 0.0 access-list arlhub permit ip 10.250.77.0 255.255.255.0 10.250.0.0 255.255.255.0 access-list arlhub permit ip 10.250.77.0 255.255.255.0 10.249.64.0 255.255.240.0 access-list arlington permit ip 10.250.77.0 255.255.255.0 10.250.2.0 255.255.255 .0 access-list arlington permit ip 10.250.77.0 255.255.255.0 10.249.16.0 255.255.24 0.0 access-list richmond permit ip 10.250.77.0 255.255.255.0 10.250.75.0 255.255.255 .0 access-list aclout permit icmp any any pager lines 24 logging console debugging interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 66.120.182.122 255.255.255.248 ip address inside 10.250.77.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 66.120.182.123 netmask 255.255.255.248 nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group aclout in interface outside conduit permit icmp any any conduit permit tcp any any route outside 0.0.0.0 0.0.0.0 gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 10.250.78.3 255.255.255.255 inside http 10.250.77.2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong3 esp-3des esp-sha-hmac crypto map cmap 1 ipsec-isakmp crypto map cmap 1 match address oxfordhub crypto map cmap 1 set peer 217.33.153.3 crypto map cmap 1 set transform-set strong3 crypto map cmap 2 ipsec-isakmp crypto map cmap 2 match address ipalcohub crypto map cmap 2 set peer 216.37.39.66 crypto map cmap 2 set transform-set strong3 crypto map cmap 3 ipsec-isakmp crypto map cmap 3 match address arlhub crypto map cmap 3 set peer 206.154.225.2 crypto map cmap 3 set transform-set strong3 crypto map cmap 4 ipsec-isakmp crypto map cmap 4 match address arlington crypto map cmap 4 set peer 65.204.31.2 crypto map cmap 4 set transform-set strong3 crypto map cmap 5 ipsec-isakmp crypto map cmap 5 match address richmond crypto map cmap 5 set peer 195.172.96.66 crypto map cmap 5 set transform-set strong3 crypto map cmap interface outside isakmp enable outside isakmp key ******** address 217.33.153.3 netmask 255.255.255.255 isakmp key ******** address 216.37.39.66 netmask 255.255.255.255 isakmp key ******** address 208.171.213.2 netmask 255.255.255.255 isakmp key ******** address 65.204.31.2 netmask 255.255.255.255 isakmp key ******** address 195.172.96.66 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 telnet 10.250.77.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 terminal width 80 Cryptochecksum:91a83ee76d6bfefd0155f5f7f2181f6c : end [OK] PIX# PIX# ping gateway gateway response received -- 0ms gateway response received -- 0ms gateway response received -- 0ms PIX# ping 198.6.1.1 198.6.1.1 response received -- 650ms 198.6.1.1 response received -- 660ms 198.6.1.1 response received -- 640ms PIX# ping 198.6.1.1 198.6.1.1 response received -- 700ms 198.6.1.1 response received -- 640ms 198.6.1.1 response received -- 640ms PIX# ping testpc testpc response received -- 0ms testpc response received -- 0ms testpc response received -- 0ms PIX# TIA. _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63410&t=63347 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
